Table Of Contents
Configuring Security on the GGSN
Configuring AAA Security Globally
Configuring RADIUS Server Communication Globally
Configuring RADIUS at the GPRS Configuration Level
Configuring Non-Transparent Access Mode
Specifying a RADIUS Server for All Access Points
Specifying a RADIUS Server for a Particular Access Point
Configuring the MSISDN IE for RADIUS Requests
Suppressing the MSISDN Number for RADIUS Authentication
Configuring IPSec Network Security
Configuring an IKE Policy
Configuring Pre-Shared Keys
Configuring Transform Sets
Configuring Security on the GGSN
This chapter describes how to configure security on the GGSN. The GGSN supports many of the same levels of security that are available through the Cisco IOS software on the router, including the following types of security:
•
Authentication, authorization, and accounting (AAA) network security services
•RADIUS security services
•IP Security Protocol (IPSec)
AAA and RADIUS support provides the security services to authenticate and authorize access by mobile users to the GGSN and its APNs. IPSec support allows you to secure your data between the GGSN and its associated peers.
In some cases, such as with AAA and IPSec support, the GGSN works with the standard Cisco IOS software configuration without requiring configuration of any additional GPRS commands.
In the case of RADIUS server configuration, the GGSN requires that you enable AAA security and establish RADIUS server communication globally on the router. From there, you can configure RADIUS security for all GGSN access points, or on a per-access-point basis, using new GPRS configuration commands.
Note In addition to the AAA, RADIUS, and IPSec security services, the GGSN also supports IP access lists to further control access to APNs. The GPRS software implements the new ip-access-group access-point configuration command to apply IP access list rules at an APN.
The security configuration procedures and examples in this publication (aside from those related to GGSN-specific implementation) describe the basic commands that you can use to implement the security services.
For some examples of configuring security on the GGSN, see the "GGSN Configuration Examples" chapter.
For more detailed information about AAA, RADIUS, and IPSec security services in the Cisco IOS software, refer to the Cisco IOS Security Configuration Guide and Cisco IOS Security Command Reference publications.
For a complete description of the GPRS commands in this chapter, refer to the Cisco IOS Mobile Wireless Command Reference. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online.
This chapter includes the following sections:
•Configuring AAA Security Globally (Required)
•Configuring RADIUS Server Communication Globally (Required)
•Configuring RADIUS at the GPRS Configuration Level (Required)
•Configuring IPSec Network Security (Optional)
Configuring AAA Security Globally
Authentication, authorization, and accounting (AAA) network security services provide the primary framework through which you set up access control on your GGSN. This section provides information about the basic commands used to implement AAA security on a Cisco Systems' router.
To enable AAA and configure authentication and authorization, use the following commands beginning in global configuration mode:
| |
Command
|
Purpose
|
Step 1
|
router(config)# aaa new-model
|
Enables AAA globally.
|
Step 2
|
router(config)# aaa authentication ppp {default |
list-name} method1 [method2...]
|
Creates a local authentication list, with the following options:
•default—Specifies that the authentication methods that follow this argument are the default list of authentication methods when a user logs in to the router.
•method—Specifies a valid AAA authentication method for PPP. For example, group RADIUS enables global RADIUS authentication.
|
Step 3
|
router(config)# aaa authorization {auth-proxy |
network | exec | commands level | reverse-access}
{default | list-name} [method1 [method2...]]
|
Creates an authorization method list for a particular authorization type and enables authorization.
|
For more information about configuring AAA, refer to the Cisco IOS Security Configuration Guide and Cisco IOS Security Command Reference publications.
For an example, see the "AAA Security Configuration Example" section in the "GGSN Configuration Examples" chapter.
Configuring RADIUS Server Communication Globally
This section describes how to configure a global RADIUS server host that the GGSN can use to authenticate and authorize users. You can configure additional RADIUS server communication at the GPRS configuration level.
To globally configure RADIUS server communication on the router, use the following commands beginning in global configuration mode:
| |
Command
|
Purpose
|
Step 1
|
router(config)# radius-server host {hostname |
ip-address} [auth-port port-number] [acct-port
port-number] [timeout seconds] [retransmit retries]
[key string]
|
Specifies the IP address or host name of the remote RADIUS server host. The following options are available:
•auth-port—Specifies the UDP destination port for authentication requests.
•acct-port—Specifies the UDP destination port for accounting requests.
•timeout—Specifies the time interval (in the range1 to 1000 seconds) that the router waits for the RADIUS server to reply before retransmitting. This setting overrides the global value of the radius-server timeout command. If no timeout value is specified, the global value is used.
•retransmit—Specifies the number of times (in the range 1 to 100) a RADIUS request is resent to a server, if that server is not responding or is responding slowly. This setting overrides the global value of the radius-server retransmit command.
•key—Specifies the authentication and encryption key used between the router and the RADIUS daemon running on this RADIUS server. This setting overrides the global value of the radius-server key command.
|
Step 2
|
router(config)# radius-server key string
|
Specifies the shared secret text string used between the router and the vendor-proprietary RADIUS server. The router and the RADIUS server use this text string to encrypt passwords and exchange responses.
|
For more information about configuring RADIUS security, refer to the Cisco IOS Security Configuration Guide and Cisco IOS Security Command Reference publications.
For an example, see the "RADIUS Server Global Configuration Example" section in the "GGSN Configuration Examples" chapter.
Note Although you can configure the radius-server host command multiple times, the Cisco IOS software supports only one RADIUS server at the same IP address.
Configuring RADIUS at the GPRS Configuration Level
To complete the security configuration for the GGSN, you must configure non-transparent access for each access point. When you configure security at the GPRS configuration level, you also can configure RADIUS server communication for all access points or for a specific access point.
Configuring RADIUS at the GPRS configuration level includes the following tasks:
•Configuring Non-Transparent Access Mode (Required)
•Specifying a RADIUS Server for All Access Points (Optional)
•Specifying a RADIUS Server for a Particular Access Point (Optional)
•Configuring the MSISDN IE for RADIUS Requests (Optional)
•Suppressing the MSISDN Number for RADIUS Authentication (Optional)
Configuring Non-Transparent Access Mode
To support RADIUS authentication on the GGSN, you must configure the GGSN access points for non-transparent access. You must configure non-transparent access for every access point at which you want to support RADIUS services. There is not a way to globally specify the access mode.
To configure non-transparent access for a GGSN access point, use the following commands beginning in global configuration mode:
| |
Command
|
Purpose
|
Step 1
|
router(config)# gprs access-point-list list_name
|
Specifies the access-point list name and enters access-point list configuration mode.
|
Step 2
|
router(config-ap-list)# access-point ap_number
|
Specifies the number associated with an existing access point definition (or creates a new access point), and enters access point configuration mode.
|
Step 3
|
router(config-access-point)# access-mode
non-transparent
|
Specifies that the GGSN requests user authentication at the access point to a PDN.
|
For more information about configuring GGSN access points, see the "Configuring the GPRS Access Point List on the GGSN" section.
Specifying a RADIUS Server for All Access Points
After you have configured RADIUS server communication at the global level, you can configure a default RADIUS server to be used by all GGSN access points.
To specify a default RADIUS server for all GGSN access points, use the following command in global configuration mode:
Command
|
Purpose
|
router(config)# gprs default radius-server {ip-address | name}
[{ip-address | name}]
|
Specifies a primary (and backup) RADIUS server that the GGSN uses to authenticate mobile users for access to PDNs, where:
•ip-address—Specifies the IP address of a RADIUS server. The second (optional) ip-address argument specifies the IP address of a backup RADIUS server.
•name—Specifies the host name of a RADIUS server. The second (optional) name argument specifies the host name of a backup RADIUS server.
|
Specifying a RADIUS Server for a Particular Access Point
To override the default RADIUS server configured for all access points, you can specify a different RADIUS server for a particular access point. Or, if you choose not to configure a default GPRS RADIUS server, you can specify a RADIUS server at each access point.
To specify a RADIUS server for a particular access point, use the following command in access-point configuration mode:
Command
|
Purpose
|
router(config-access-point)# radius-server {ip-address | name}
[{ip-address | name}]
|
Specifies a primary (and backup) RADIUS server that the GGSN uses at a particular access point to authenticate mobile users for access to a PDN, where:
•ip-address—Specifies the IP address of a RADIUS server. The second (optional) ip-address argument specifies the IP address of a backup RADIUS server.
•name—Specifies the host name of a RADIUS server. The second (optional) name argument specifies the host name of a backup RADIUS server.
|
Configuring the MSISDN IE for RADIUS Requests
To specify that the first byte of the Mobile Station International PSTN/ISDN (MSISDN) information element is included in a RADIUS request, use the following command beginning in global configuration mode:
Command
|
Purpose
|
router(config)# gprs radius msisdn first-byte
|
Specifies that the first byte of the MSISDN IE is included in a RADIUS request.
|
Suppressing the MSISDN Number for RADIUS Authentication
Certain countries have privacy laws which prohibit service providers from identifying the MSISDN number of mobile stations in authentication requests. Use the msisdn suppression command to specify a value that the GGSN sends in place of the MSISDN number in its authentication requests to a RADIUS server. If no value is configured, then no number is sent to the RADIUS server.
To use the msisdn suppression command, you must configure a RADIUS server either globally or at the access point and specify non-transparent access mode.
To specify that the GGSN overrides or suppresses the MSISDN number in its RADIUS authentication, use the following command beginning in access-point configuration mode:
Command
|
Purpose
|
router(config-access-point)# msisdn suppression [value]
|
(Optional) Specifies that the GGSN overrides the MSISDN number with a pre-configured value in its authentication requests to a RADIUS server.
|
Configuring IPSec Network Security
In Cisco IOS Release 12.1(5)T and later, the GGSN software supports the IP security protocol for data authentication, confidentiality, encryption and integrity. IPSec data security can be implemented between the GGSN and another router on the PDN.
Note To support IPSec on the GGSN, you must install an ISA card on your router.
Configuring IPSec network security includes the following tasks:
•Configuring an IKE Policy (Required)
•Configuring Pre-Shared Keys (Required, when pre-shared authentication is configured)
•Configuring Transform Sets (Optional)
•Configuring Crypto Map Entries that Use IKE to Establish Security Associations (Optional)
For more information about configuring IPSec, refer to the Cisco IOS Security Configuration Guide and Cisco IOS Security Command Reference publications.
For an example, see the "IPSec Configuration Example" section in the "GGSN Configuration Examples" chapter.
Configuring an IKE Policy
You can create multiple Internet Key Exchange (IKE) policies, each with a different combination of parameter values. For each policy that you create, you assign a unique priority (1 through 10,000, with 1 being the highest priority).
You can configure multiple policies on each peer—but at least one of these policies must contain exactly the same encryption, hash, authentication, and Diffie-Hellman parameter values as one of the policies on the remote peer. For example, you can configure multiple policies on the GGSN to correlate with the policies for different PDNs.
Note The 3DES security encryption algorithm is not supported in this GPRS release.
To configure an IKE policy on the GGSN and corresponding PDN, use the following commands beginning in global configuration mode:
| |
Command
|
Purpose
|
Step 1
|
router(config)# crypto isakmp policy priority
|
Identifies the IKE policy, where priority is an integer (from 1 to 10,000) that uniquely identifies the policy. This command enters you into ISAKMP policy configuration mode.
|
Step 2
|
router(config-isakmp)# encryption des
|
Specifies the encryption algorithm, where:
•des—Specifies 56-bit Data Encryption Standard (DES)-Cipher Block Chaining (CBC). This is the default value.
Note Triple DES, or 168-bit DES encryption is supported in the Cisco IOS software. It can be configured by using this command and specifying the 3des optional keyword.
However, GPRS Release 1.4 in Cisco IOS Release 12.2 does not support the 3des optional keyword.
|
Step 3
|
router(config-isakmp)# hash {sha | md5}
|
Specifies the hash algorithm, where:
•sha—Specifies the Secure Hash Algorithm (SHA)-1. This is the default value.
•md5—Specifies the Message Digest 5 hash algorithm.
|
Step 4
|
router(config-isakmp)# authentication {rsa-sig |
rsa-encr | pre-share}
|
Specifies the authentication method, where:
•rsa-sig—Specifies the public key encryption system developed by Ron Rivest, Adi Shamir, and Leonard Adleman, which provides non-repudiation. This is the default value.
•rsa-encr—Specifies RSA encrypted nonces, which provide repudiation.
•pre-share—Specifies a pre-shared key that does not require use of a certification authority. Pre-shared keys might be easier to configure in a small network with less than 10 nodes. RSA signatures can be considered more secure than pre-shared keys. If you configure pre-share authentication, then you must configure the pre-shared keys on both the local and remote peer (GGSN and PDN).
|
Step 5
|
router(config-isakmp)# group {1 | 2}
|
Specifies the Diffie-Hellman group identifier, where:
•1—Specifies 768-bit Diffie-Hellman. This is the default value.
•2—Specifies 1024-bit Diffie-Hellman.
Note The 1024-bit Diffie-Hellman option is harder to crack, but requires more CPU time to execute.
|
Step 6
|
router(config-isakmp)# lifetime seconds
|
Specifies the security association's lifetime (in seconds). The default value is 86,400 seconds (1 day).
|
For more information about the meaning of the IKE policy parameters, refer to the Cisco IOS Security Configuration Guide and Cisco IOS Security Command Reference publications.
Configuring Pre-Shared Keys
When you configure the pre-share authentication method for your IKE policy, you also must configure the pre-shared keys on the GGSN and remote peer, or PDN.
To configure pre-shared keys on the GGSN and corresponding PDN, use one of the following commands beginning in global configuration mode:
Command
|
Purpose
|
router(config)# crypto isakmp key keystring address
peer-address
or
router(config)# crypto isakmp key keystring hostname
peer-hostname
|
Specifies the shared key to be used between a local peer (GGSN) and particular remote peer (PDN).
If the remote peer, or PDN, specifies the ISAKMP identity with an address, use the address keyword; otherwise use the hostname keyword.
When configuring the pre-shared keys on the GGSN, use the address or hostname of the PDN. When configuring the pre-shared keys on the PDN, use the address or hostname of the GGSN.
|
Configuring Transform Sets
A transform set represents a certain combination of security protocols and algorithms. During the IPSec security association negotiation, the peers agree to use a particular transform set for protecting a particular data flow.
To configure a transform set on the GGSN and corresponding PDN, use the following commands beginning in global configuration mode:
| |
Command
|
Purpose
|
Step 1
|
router(config)# crypto ipsec transform-set
transform-set-name transform1 [transform2
[transform3]]
|
Defines a transform set and enters crypto transform configuration mode.
There are complex rules defining which entries you can use for the transform arguments. For more information, refer to the Cisco IOS Security Configuration Guide and Cisco IOS Security Command Reference publications.
|
Step 2
|
router(config-crypto-transform)# mode [tunnel |
transport]
|
(Optional) Changes the mode associated with the transform set. The following options are available:
•tunnel—Protects (encrypts, authenticates) and encapsulates the entire original IP packet
•transport—Protects (encrypts, authenticates) and encapsulates the payload or data portion of the IP packet.
Note The mode setting is applicable only to traffic whose source and destination addresses are the IPSec peer addresses; it is ignored for all other traffic.
|
Configuring Crypto Map Entries that Use IKE to Establish Security Associations
When you use IKE to establish security associations, you can specify a list of acceptable settings to be used during IPSec peer negotiation using a crypto map entry.
To configure crypto map entries on the GGSN and corresponding PDN, use the following commands beginning in global configuration mode:
| |
Command
|
Purpose
|
Step 1
|
router(config)# crypto map map-name seq-num
ipsec-isakmp
|
Creates or modifies a crypto map entry and enters crypto map configuration mode.
|
Step 2
|
router(config-crypto-map)# match address
access-list-id
|
Names an extended access list. This access list determines which traffic should be protected by IPSec and which traffic should not be protected by IPSec in the context of the current crypto map entry.
|
Step 3
|
router(config-crypto-map)# set peer {hostname |
ip-address}
|
Specifies a remote IPSec peer. This is the peer to which IPSec-protected traffic can be forwarded.
|
Step 4
|
router(config-crypto-map)# set transform-set
transform-set-name1
[transform-set-name2...transform-set-name6]
|
Specifies which transform sets are allowed for this crypto map entry. List multiple transform sets in order of priority (highest priority first).
|
Step 5
|
router(config-crypto-map)# set security-association
lifetime seconds seconds
and/or
set security-association lifetime kilobytes
kilobytes
|
(Optional) Specifies a security association lifetime for the crypto map entry, if you want the security associations for the current crypto map entry to be negotiated using different IPSec security association lifetimes than the global lifetimes.
|
Step 6
|
router(config-crypto-map)# set security-association
level per-host
|
(Optional) Specifies that separate security associations should be established for each source/destination pair.
Note Use this command with care, as multiple streams between given subnets can rapidly consume resources.
|
Step 7
|
router(config-crypto-map)# set pfs [group1 | group2]
|
(Optional) Specifies that IPSec should ask for perfect forward secrecy (PFS) when requesting new security associations for the current crypto map entry, or should demand PFS in requests received from the IPSec peer.
|
